Cross-site request forgery validation failed. Required param "state" missing Laravel Sammyk/Facebook package

Question

I am working with the SammyK/Facebook package and facing an issue with facebook login over CSRF. Earlier it worked fine,but later I had to disable the CSRF protection in my kernel.php for smooth working of API. Now I have it updated and added the below lines in the middleware

  public function handle($request, Closure $next) {
   $skip = array(
              'api/v1/signup',
              'api/v1/login',
              'api/v1/addContacts',
              'api/v1/email'
             );
    foreach ($skip as $key => $route) {
      //skip csrf check on route
      if($request->is($route)){
          return parent::addCookieToResponse($request, $next($request));
      }
   }
   return parent::handle($request, $next);
  }

So this allows web and api to work as expected,but since I had disabled the csrf I get the Cross-site request forgery validation failed. Required param "state" missing error when I do a FB login. I tried to debug and found in the FacebookRedirectLoginHelper the function validateCsrf() does not get the savedstate $savedState = $this->persistentDataHandler->get('state');
I am not sure how to resolve this as ideally it should work now.I tried printing both the $state and $savedState and I get $savedState as null.

    class FacebookController extends Controller {
     public function fbConnect(LaravelFacebookSdk $fb)
     {
      // Obtain an access token.
     try {
     $token = $fb
        ->getRedirectLoginHelper()
       ->getAccessToken();
     } catch (Facebook\Exceptions\FacebookSDKException $e) {
          dd($e->getMessage());
    }
   // Access token will be null if the user denied the request
    // or if someone just hit this URL outside of the OAuth flow.
 if (! $token) {
    // Get the redirect helper
 $helper = $fb->getRedirectLoginHelper();

   if (! $helper->getError()) {
        abort(403, 'Unauthorized action.');
   }

   // User denied the request
    dd(
       $helper->getError(),
       $helper->getErrorCode(),
       $helper->getErrorReason(),
       $helper->getErrorDescription()
     );
  } 

Answer 1

Finally, looking into FB code, I discovered that the problem "Cross-site request forgery validation failed. Required param “state” missing" and similars are caused by PHP variable $_SESSION['FBRLH_state'] that for some "strange" reason when FB call the login-callback file.

To solve it I store this variable "FBRLH_state" AFTER the call of function $helper->getLoginUrl(...). Is very important to do only after the call of this function due to is inside this function when the variable $_SESSION['FBRLH_state'] is populated.

Below an example of my code in the login.php:

$uri=$helper->getLoginUrl($uri, $permissions);
foreach ($_SESSION as $k=>$v) {                    
    if(strpos($k, "FBRLH_")!==FALSE) {
        if(!setcookie($k, $v)) {
            //what??
        } else {
            $_COOKIE[$k]=$v;
        }
    }
}
var_dump($_COOKIE);

And in the login-callback.php before calling all FB code:

foreach ($_COOKIE as $k=>$v) {
    if(strpos($k, "FBRLH_")!==FALSE) {
        $_SESSION[$k]=$v;
    }
}

Last, but not least, remember also to include code for PHP session so..

if(!session_id()) {
    session_start();
}
...
...
...
...
<?php session_write_close() ?>

I hope this response can help you to save 8-10 hours of work :) Bye, Alex.

Answer 2

For those who are using Code Igniter , you will have to autoload the session library.

Change your application/config/autoload.php , libraries must include 'session':

$autoload['libraries'] = array('session');